Trojan horse BHO.AZN virus?

I had some issues with Avast that Im trying to straighten out but in the meantime to not be left vunerable I installed AVG.

It cleaned out about 10 trojan horse virus’s that were sitting in either old backedup .rar or .zip files that I had from ages ago, or in some old junkmail emails from when I was running windows vista in it’s email .eml files. Anyway they were all put to the virus vault.

Now I get a notification from AVG that said it had found a virus or threat…

C:\Windows\System 32\nnnllmm.dll
Trojan Horse BHO.AZN

I told it to move it to the vault and as soon as it did my screen went black, and the computer rebooted and started back up fine. I looked in the virus vault and the program does list that file as being quarantined in there so…

Anyway I searched google for both nnnllmm.dll as well as Trojan Horse BHO.AZN but failed to find information for either search term.

Anybody have any clues as to what this virus is, what it can do etc.?

Thanks,

Well a google search for nnnllmm.dll on its own returns 6 hits, some that need translation. This would seem to indicate Vundo/Virtumond (adware) infection

This shows nnnllmm.dll detected and removed by Vundofix, so it may be worth running Vundofix to see if there are any other associated files.
http://translate.google.com/translate?..hijackthis-forum.de/showthread.php…nnnllmm.dll

Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html

Thanks, the Virtuemonde did indeed find 3 files that it removed. This suprised me since what I read was that the user might experience pop up type browser windows informing them of virus’s or malware etc. I’ve not experienced this but never the less it was there.

Still have problems with AVG and it’s resident shield. Upon starting computer, resident shield is turned off and can’t be turned on as it’s a grayed out option. Upon repairing AVG the option becomes available again, the next time I reboot, the option is grayed out again and a repair is needed to get it working again. This is basically the same situation that I had with Avast. Even after using the virtumonde program to remove the 3 files, a reboot causes this strange behavior the same as it caused in Avast.

Since you folks seem more helpful to me than the folks at AVG, I’ll uninstall AVG and reinstall Avast in hopes that folks here will continue to help me work through this problem.

Thanks for the information, it is appreciated.

Adam

I’m an ex AVG user. I’m here quite some time and among other reasons, support and help 8)

Adam, right now, if you’re infected with Vundo/Virtumond you could, please, download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.

A log will be produced which you can post in your next response.

I think the key words are ‘might experience’ because the vundo/virtumond has many variants.

Obviously we can’t help with any AVG related issue as we don’t have it installed, but we are more than willing to help where we can with this and avast.

I suggested some anti-rootkit tools in your other topic, http://forum.avast.com/index.php?topic=30455.msg251717#msg251717, have you tried these yet ?

I ran this last night after DavidR posted the links to Virtumonde. It indeed did find 3 files, and it cleaned them and rebooted the computer. I’ve run it again from the link Tech Provided to be certain it didn’t miss anything and indeed the program informs me no files can be found. So the first pass must have gotten them.

Im not sure where it would keep this log, I don’t see any new files on my desktop which is where I would have thought it would write a log file. If it writes them somewhere else let me known and I’ll see if I can find it on my computer and post it to a message here.

DavidR, Yes I ran both the rootkit software and it found nothing. I also ran spybot search and destroy as well as adaware and both brought back the usual suspects of tracking cookies but nothing more.

I’ve also “immunized” my PC with the spybot and it is catching a registry change on behalf of AVG, something about wanting to delete a registry value. I have a sneaking suspicion that what ever is trying to delete this registry value is what is causing AVG to turn off the Resident shield. Because when I deny it the permission to change the registry value, the resident shield stays running like it should. I’ve not actually allowed it permission to change the value, so I can’t say for certain that by allowing it to do so would turn off the resident shield until it is reinstalled again or not. I guess I’ll have to try that and post back about it. But it seems quite likely to me that if whatever is trying to change the registry value is turning off the resident shield in AVG then it’s highly likely that it’s the same thing that is turning off the On-Access scanner features of Avast.

The spybot log shows the following lines:
9/14/2007 11:49:48 PM Denied (based on user decision) value “AVG7_Run” (new data: “”) deleted in System Startup user entry!
9/15/2007 11:09:09 AM Denied (based on user decision) value “AVG7_Run” (new data: “”) deleted in System Startup user entry!

I’ll do a reboot and let whatever it is to change the registry value and see if the resident shield gets disabled again, that will certainly tell me that somewhere on my computer, something is doing this on purpose and it’s no fluke.

I’ll post back in a bit.

Glad that you finally succeed 8)
Welcome to avast forum and feel free to come back any time you need help. Better, login sometime to help the others 8)

Okay, I’ve uninstalled AVG, rebooted, and reinstalled Avast and updated. All seems well again and all seems normal at this time.

Thanks to all, especialy the links to the Vundofix program to get what there was off of my computer.

Im now happily chugging along again with Avast protecting my system. Though Im just slightly concerned that those files got on my system when it’s been Avast that has been protecting my system since February when I did a reformat of my HDD and reinstalled windows, all programs and avast. I don’t usually turn off my anti-virus program for anything (even when games suggest turning off firewalls and antivirus software I won’t do it) so Im not sure how those three files managed to get through Avast in the first place. But… Im now armed with four more tools that I can run (rootkit, spybot, adaware and vundofix) to keep my system a bit more clean and creepy crawly free.

Thanks to you all.

If there’s something trying to make changes to your registry, I suggest your computer may not be entirely clean yet.

Could you post a HijackThis! log for us, then run a few online scans:

(Disable avast! while scanning.)

F-Secure
BitDefender
Panda
Trend Micro Housecall

When you have finished, scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections. (In the case of Vundo, it’s often an older version of Sun Java that has the vulnerability that allows the infection.)

 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:03 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\nvraidservice.exe
D:\Utilities\RivaTuner\RivaTuner v2.01\RivaTuner.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Stardock\Object Desktop\IconX\IconX.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\jv16 PowerTools 2007\jv16pt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E6F5CC6-D04F-46F8-89FE-B7277840A1BF} - C:\WINDOWS\system32\nnnllmm.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {93236595-2BE6-4B17-B1CF-F6D00911F37B} - C:\WINDOWS\system32\jkhfg.dll (file missing)
O2 - BHO: Mouse Gestures - {A6A49249-57AE-4295-8D4D-18A9502C7D8E} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RivaTuner] "D:\Utilities\RivaTuner\RivaTuner v2.01\RivaTuner.exe" /T
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Utilities\RivaTuner\RivaTuner v2.01\RivaTuner.exe" /S
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [iWinArcadeIECleanup] C:\DOCUME~1\Adam\LOCALS~1\Temp\iWinArcadeAutocleanup.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Stardock\Object Desktop\IconX\IconX.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Start OpdiTracker.lnk = C:\Program Files\Opdicom\OpdiTracker\OptT3STA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\APPLIC~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {4E660F19-E91E-41e1-88EF-D1DFAB118F67} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll
O9 - Extra 'Tools' menuitem: Mouse Gestures... - {4E660F19-E91E-41e1-88EF-D1DFAB118F67} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\APPLIC~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.ahmdealer.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184290738656
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6072D8FD-6EDD-4E70-BE39-E4DA0E007B5D}: NameServer = 66.75.160.15,66.75.160.16
O20 - Winlogon Notify: nnnllmm - nnnllmm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RRAANXGN - Unknown owner - C:\WINDOWS\srvany.exe
--
End of file - 9540 bytes

Strange:

O2 - BHO: (no name) - {7E6F5CC6-D04F-46F8-89FE-B7 277840A1BF} - C:\WINDOWS\system32\nnnllmm.dll (file missing)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\RunOnce: [iWinArcadeIECleanup] C:\DO CUME~1\Adam\LOCALS~1\Temp\iWinArcadeAutocleanup.bat
O20 - Winlogon Notify: nnnllmm - nnnllmm.dll (file missing)

Although, when file is missing seems that the entry remains there…

The other one that states file missing:
O2 - BHO: (no name) - {93236595-2BE6-4B17-B1CF-F6D00911F37B} - C:\WINDOWS\system32\jkhfg.dll (file missing)
was one of the files that the virtumon program removed from the computer, yet it still appears in the list.

I think the iWinArcadeIECleanup remains because I just uninstalled the IWin browser game thingy (plugin??) and have yet to reboot my system as Im currently doing those online scans that you suggested first. Im pretty sure it will end up getting removed after a reboot.

Should I be concerned that the files are missing but the entrys remain?

You can delete all entries (file missing) with HijackThis itself.

Should I be concerned that the files are missing but the entrys remain?

Not necessarily: malware scanners sometimes delete malware files but leave the registry entry.

These can be fixed with HijackThis! (You’ll need to disable Spybot Teatimer first as it blocks registry changes.)

O2 - BHO: (no name) - {7E6F5CC6-D04F-46F8-89FE-B7277840A1BF} - C:\WINDOWS\system32\nnnllmm.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {93236595-2BE6-4B17-B1CF-F6D00911F37B} - C:\WINDOWS\system32\jkhfg.dll (file missing)

O20 - Winlogon Notify: nnnllmm - nnnllmm.dll (file missing)

Run HijackThis! again to check they’ve gone.

There is another possibility that something could be hiding the file so it appears missing, which is why the anti-rootkit tools were important.

Hence the ‘not necessarily’ and the ‘Run HijackThis! again to check they’ve gone.’ :wink:

If they haven’t gone, then something is afoot. And a stinky one at that.

Understood, thanks. In this circumstance however, I am rather certain that some of those files were indeed removed by the virtu program, and the nnnllmm.dll was removed by AVG.

When AVG removed the nnnllmm.dll file it caused my computer screen to go black and a reboot of the system, but scanning after that and AVG did not report nnnllmmm.dll on my system. Now a full scan with Avast this morning also did not report any trojans, or viruses as being present. Im still doing the online f-secure test to see if it will detect something avast doesn’t.

I find it strange though that Avast never reported the nnnllmmm.dll file to me since last february. Perhaps installing AVG caused something to activate or use that file which made AVG report it as a threat. I dunno.

If this was as indicated a Vundo/Virtumond this is an adware infection and although avast detects some adware infections it isn’t a specialist anti-adware/spyware program and no one program is likely to give 100% protection. That is why we usually suggest that people also have an anti-spyware application to compliment avast. The AVG anti-spyware is one, SuperAntiSpyware or SpywareTerminator are others. SpywareTerminator provides resodent anti-spyware protection where the other two are on-demand (after 30 day trial of AVG-AS).